The White House's new privacy agreement with the Internet's biggest …

Last week, the White House announced a new Internet privacy agreement with the companies serving nearly 90 percent of "online behavioral advertisements," theoretically forcing the likes of Google, Yahoo, Microsoft, and AOL to stop monitoring the Web-surfing habits of users who click a "Do Not Track" button on their browsers.

While a good step toward broader Web privacy protections, the agreement itself illustrates the difficulties of enforcing privacy guidelines on the Web: we must rely on advertisers to police themselves and on browser makers to implement functionality that helps users opt out of behavioral tracking. And in the case of the world's biggest advertiser—Google—the advertising company is also the maker of one of the most world's popular browsers, Chrome.

"We're looking at a Web that has been built around the advertising business model and now we want to retrofit privacy back into the Web, and we run into these deep and hard-to-resolve tensions," said Peter Eckersley, technology projects director for the Electronic Frontier Foundation.

The EFF recently argued that Google's circumvention of default privacy settings in Apple's Safari browser in order to serve up advertising cookies shows the need for a system like Do Not Track. It was only several days later that the White House announced its new agreement with Google, Yahoo, Microsoft, and AOL.

But will Do Not Track really work? The idea is a simple one: give users a button that, when pressed, will send websites an HTTP header that signals the user's preference not to be tracked. The White House said companies that make the Do Not Track commitment "will be subject to FTC (Federal Trade Commission) enforcement." Apparently, that means companies that choose not to make the commitment will not be subject to FTC enforcement.

Fortunately, the biggest players are covered by the agreement. But getting the FTC to act is no simple matter. Do Not Track could ultimately supersede another privacy standard built ten years ago, called P3P, or the Privacy Preferences Project. P3P, which is only implemented by Microsoft's Internet Explorer, blocks third-party cookies unless presented with a policy statement promising not to use the cookie to track the user. It turns out Google, Facebook, and thousands of other websites have found simple technical workarounds to trick P3P into letting the tracking continue.

Lorrie Faith Cranor, who chaired the P3P working group for the World Wide Web Consortium (W3C), told Ars last week that she and her colleagues spoke with governments around the world, and were told that P3P was enforceable under privacy laws. Yet in the past ten years, "I don't know of any regulator that has gone after a company for P3P violations," Cranor said.

Prior to the White House agreement, Cranor said she worried that Do Not Track will end up being just as unenforceable as P3P. After the White House announcement, she was still skeptical that Do Not Track can be enforced. "I don't think the White House announcement gives us enough detail to know for sure," she said. "They made statements to suggest they want it to be enforceable, but not enough details on how that is going to happen."

An industry group called the Digital Advertising Alliance (DAA) said advertisers will respect Do Not Track preferences in cases where the user "has been provided language that describes to consumers the effect of exercising such choice including that some data may still be collected," but not in cases where "where any entity or software or technology provider other than the user exercises such a choice."

A skeptical interpretation of these statements is that the default privacy settings of browsers won't be respected, and that even straightforward language "might turn into some slippery legalese that doesn't promise to do much of anything about tracking," EFF activism director Rainey Reitman states in a blog post.

That skeptical interpretation seems to be confirmed by none other than Google itself. In a statement e-mailed to Ars, Google said its advertising systems "will honor Do Not Track browser signals in accordance with DAA principles, when they see them." The Google statement further notes that "under the agreement, DAA members will respect the header when it is actively chosen by a user, i.e., not as a result of a default setting, and when users are informed of what the header will—and will not—achieve."

In cases when Google's advertising networks see a Do Not Track header and determine that it is legitimate, they will "treat the user’s browsing data in accordance with DAA Principles—including opting the user out of ad targeting and ads using third-party cookies," Google said.

Why we should care

The privacy issues raised by advertising cookies are easy for many people to ignore. Being served up personalized ads based on our search and Web browsing histories (or even based on the contents of our e-mail messages) isn't as harmful as the threat of viruses, or the habit certain governments have of blocking portions of the Web. But it's one of those slippery-slope issues, Eckersley argues.

Governments requesting information about citizens from the advertising companies that know so much about us would be bad enough in the US, but "could become a matter of life and death in the Arab Spring," he said. No matter where you live, there are things you just want to keep private from family, friends, or employers. A person's search history could show that they're looking for a new job, a fact many people would want to keep secret from employers, he said.

Do Not Track won't stop practices such as Gmail's use of targeted advertising based on the contents of e-mail messages. In general, if you sign into a service you're giving up anonymity no matter what browser preferences you have set.

"The general spirit of Do Not Track is that it's there to protect you against companies that you have no relationship with, or companies you're not currently interacting with," Eckersley told Ars. "If part of the bargain for a free webmail service is seeing customized ads, that's something that consumers can make a reasonably informed choice about (in contrast to being tracked by invisible third parties all over the Web)."

You may recall Google's Safari controversy was related to ads served to signed-in Google users. However, that case was threatening because Google's workaround ended up causing Safari to accept all cookies from DoubleClick, Eckersley said. (Google used a hidden form to trick Safari into thinking the user is accepting certain cookies from the Google-owned DoubleClick.) "Even though they weren't doing this circumvention for the main tracking ID cookie on DoubleClick.net, once it had been done, the next time the browser saw a DoubleClick ad it would accept the tracking cookie," Eckersley said. "Google was trying to punch a tiny little hole in Safari privacy protection mechanisms, and that causes the whole thing to burst. The tiny hole becomes a giant hole."

Where is that Do Not Track button, anyway?

All major browsers today support blocking cookies. While this may help maintain privacy, blocking all cookies can limit functionality users want. Cookie-blocking is also not foolproof, because of so-called "supercookies" that resist blocking and deletion attempts, and other tracking tools such as browser "fingerprints" that can identify users with great accuracy even when users block cookies.

That's why a simple "Do Not Track" button is needed, Eckersley argues. But today's Do Not Track options are not made obvious to users. Google provides a "Keep My Opt-Outs" extension for Chrome that "permanently opts your browser out of online and personalization via cookies," but users must locate it in the Chrome Web Store. It's not a native part of the browser, although Google promises to both build a Do Not Track option into Chrome and have its advertising network respect Do Not Track requests by the end of the year.

Firefox has the simplest mechanism, a checkbox providing the option to "tell websites I do not want to be tracked."

Microsoft boasts that "Internet Explorer was the first major browser to respond to the Federal Trade Commission’s call for a do-not-track mechanism," but Internet Explorer's Tracking Protection Lists require customization and are more complicated to use than the Firefox option. Microsoft said in a statement to Ars that it will provide a simpler Do Not Track browser signal as part of its agreement with the White House. Apple signaled its support of Do Not Track in Safari early in 2011.

Ultimately, the success of Do Not Track will depend on it gaining the kind of broad acceptance that P3P never acquired. The White House agreement with advertising companies is a good first step, because Do Not Track is basically unenforceable except when companies agree to follow it. "Today there is no obligation [to respect Do Not Track preferences] except in cases where companies made statements to that effect," Eckersley said.

The EFF hopes Do Not Track will be a platform both government and industry can build on. Now that the mechanism exists, Congress could theoretically write laws or policies requiring its use, Eckersley said. Even companies that don't plan to stop tracking users could come up with user privacy selections that are complementary to Do Not Track.

Facebook, Eckersley said, "is probably never going to comply with requests to not track people when they log into Facebook. It's contrary to the entire design of their website." Still, when Facebook receives a Do Not Track header, perhaps the site could notify users with a popup that says "when you come to Facebook.com, we do track you but here are some settings you might be interested in to control what data you're sharing with other people," Eckersley speculated.

Today's methods for ensuring privacy are so ineffective that many people have simply turned to blocking ads entirely, he noted.

"The problem is if the only way people can get privacy is by blocking all the ads, then we're in a bind," Eckersley said. "If we block all the ads we've pulled the rug out from under the business model that's funding so much of the Web. What we really want is a way to say 'yes I'd like my privacy, but i'm willing to look at ads as well.' That's the thing that's really missing right now."

29 Reader Comments

Reading the promises of these advertisers, it basically amounts to "we're still going to track you, we just won't use the data we collect for things that benefits you, like customized ads, but still reserve the right to use the data for things that benefit us."

This is just an assumption but I doubt that Google could get away with half-doing this. If they do they will get caught. They have really been getting heat for privacy issues lately and I bet they are people who job it is just to investigate the data collection practices of companies like Google. I actually think* Microsoft has a team dedicated to finding all the "evil" dirt Google has. So I think it can be enforce as long as people are willing to keep an eye on these companies. Anything worth doing requires hardwork most of the times.

*just an assumption based on he agreesive attacking Microsoft has shown toward Google lately.

I've been keeping my browser safe for a while. While I run Firefox, I also run NoScript and whitelist what I need, HTTPS Everywhere, BeefTaco and Better Privacy. It is more work initially, but once you get your whitelist set, you will find that you miss out on a ton of advertising. Just remember to whitelist places you like and support them through their advertising.

Microsoft's blocking method may be more complicated, but it also works far better, and has the added bonus that it doesn't care whether a company wants to track you or not It just blocks them. A "Do Not Track" header is a nice idea, but really, no one needs to actually listen to the header.

"Do Not Track" is useless until someone actually defines *what exactly it means*. Until then, it's a pointless gimmick, making users feel all cosy and secure, while companies will pick whatever loose definition they like in order to operate as they like.

e.g. does DNT prevent:* website activity logs containing my browsing, page views, etc* Server-side code that relies on knowing what I have viewed (a shopping cart has to 'track' what you are buying, after all)* Visiting website A, then visiting website B. Is a company allowed to tie these two visits together with DNT enabled? What if a company only recorded that I visited sites A,B and C without knowing the order, the timing or the linking between the sites? Is that 'tracking' or not?* Any form of web logs at all? (After all, the IP and HTTP headers can be used to identify individuals)* Web analytics? Can a DNT visit be counted in web visit stats? Seems OK, but what if the page URL itself could identify and thus track a user? When is the counting OK, when is it bad?

Even the loose terms of not showing 'relevant adverts' is not so great. Ok, so the ads might not be relevant, but are they still using the analytics to profile the user?

What if I am logged into a service (e.g. my Google account) and have DNT enabled? Does my login override the DNT? Companies could argue that my act of signing in is an acknowledgement that I want google to personalize pages for me (like their homepage, etc)

In essence, someone needs to provide a concrete definition of what 'Do Not Track' actually means. Last time I looked, the proposed standards couldn't agree on it...

As far as cookies themselves go, why is it so hard to implement better controls in the browser? You could give options for whitelisting, blacklisting etc. As far as "browser fingerprinting" goes, you could make the already existing privacy browsing option return a generic ID in the browser ID field. Start small and work your way up, so how far those simple options take you and go from there. But if you haven't even done that yet...

Just curious: how does anyone propose to *enforce* these ideas? Violations= court settlements payable to users who find out about it? Fines payable to the government? Violator being put out of business (and how - technically - and to what effect on users)? Brute force arrest of somebody (Who? Including the office secretary?) causing or abetting the violation?

Like the Gmail exception mentioned, I rather suspect we will see another very large loophole -- the same one companies use to exploit phones numbers for telemarketing and selling their mailing lists to 3rd parties. In short, if you have a "business relationship" with them, they'll be able to track you. Got a Google account? Google tracks you and so do all their affiliated businesses.

This one is DOA. It is deliberately contrary to the advertising companies' best interest to not track you; therefore they will slip and dodge and "oops" around any agreement until it's worthless.

Wouldn't all this just be easier if we had a browser that just didn't give out info? I am not a software engineer, but it seems to me that a browser should not have to allow cookies. It also shouldn't be reporting what I click on or where I came from. The browser should be doing my bidding, not some corporation's.

I hate cookies so much. But you can't disable them because then half the web stops working. I am now deleting them wholesale every week or so and just live with the annoyance of having to re-login to forums etc after that. Why can't browsers just automatically block cookies until you push a nice big button to whitelist a site? The current settings are less than useless.

I'm not going to use the do not track header because there are already way too many HTTP headers being sent for every request, making the web even slower than it already is, especially if your upstream speed is limited (which is the case for most people).

"What we really want is a way to say 'yes I'd like my privacy, but i'm willing to look at ads as well.' That's the thing that's really missing right now."

I disagree with this premise. Without tracking cookies, advertisers can do the same thing they have always done in magazines, newspapers, and television -- serve ads that are relevant to the content or to the demographic expected to be reading the content. And get metrics based on the readership of the page from the carrier instead of installing their own surveillance tools.

Of course they also do get one piece of information about the users: that they are the sort of users who do not want to be tracked. I'm sure you can gather some meaningful demographic data about that market segment.

All better than cross-referencing all my browsing and storing in a big database with other personal information where it can be conveniently packaged up and sold, used for spam targeted, or stolen by hackers for the same purposes.

"under the agreement, DAA members will respect the header when it is actively chosen by a user, i.e., not as a result of a default setting, and when users are informed of what the header will—and will not—achieve"

How on earth do they plan to determine that? Ignore the header for any browser that has it on by default?

Why can't browsers just automatically block cookies until you push a nice big button to whitelist a site? The current settings are less than useless.

I use Chrome and there is a little cookie icon in the top right of the address bar that allows you to click there see exactly which cookies have been allowed and which ones have been blocked. You can add them to a white or black list from here. As a result, I block all cookies and then enable the ones I need for sites to work. They stay on the white list for next time.

I'm not going to use the do not track header because there are already way too many HTTP headers being sent for every request, making the web even slower than it already is, especially if your upstream speed is limited (which is the case for most people).

I hate cookies so much. But you can't disable them because then half the web stops working. I am now deleting them wholesale every week or so and just live with the annoyance of having to re-login to forums etc after that. Why can't browsers just automatically block cookies until you push a nice big button to whitelist a site? The current settings are less than useless.

Cookie Controller for Firefox allows you to block all cookies by default and enable them selectively.

Opera allows you to block all cookies and then accept cookies individually by the Site Preferences menu. A little less convenient, but then again, this needs to be done only once for each website that you need to allow cookies for. It may or may not be worth your time...if you use Opera at all, that is.

Otherwise, you could use a program like CCleaner that allows you to select specific cookies to keep before cleaning out everything else. (This also allows you to save Flash cookies, such as for Flash games, if you want to.)

As for staying logged in: perhaps it's time to switch to KeePass or LastPass and simplify logging in so that cookies being removed isn't much of a nuisance at all?

On topic: I don't see DNT being useful at all unless it becomes mandated by law.

For Google to stop stealing your private information it needs to charge you for its browser...let's say $89.95 per year and use of its search engine...let's say $15.00 per month. Multiple that by several billion users.

Short of you paying Google for its services, Google needs to figure out who you are and what you like.

Today's methods for ensuring privacy are so ineffective that many people have simply turned to blocking ads entirely, he noted.

"The problem is if the only way people can get privacy is by blocking all the ads, then we're in a bind," Eckersley said. "If we block all the ads we've pulled the rug out from under the business model that's funding so much of the Web. What we really want is a way to say 'yes I'd like my privacy, but i'm willing to look at ads as well.' That's the thing that's really missing right now."

Well, yes.OFF COURSE if you're not trustworthy (and show real signs that you are, PR bullshit and posturing doesn't count) I'll block you completely, that's common sense.That's why the ad firms need to really show they care about privacy as much as we do or else they will not have any access anymore to the technically literate portion of the population.

iljitsch wrote:

I hate cookies so much. But you can't disable them because then half the web stops working. I am now deleting them wholesale every week or so and just live with the annoyance of having to re-login to forums etc after that. Why can't browsers just automatically block cookies until you push a nice big button to whitelist a site? The current settings are less than useless.

Firefox has a nice option: Keep cookies until I close Firefox. I also use the "Better Privacy" plugin who takes care of the Flash cookies and super-cookies.

Otherwise, you could use a program like CCleaner that allows you to select specific cookies to keep before cleaning out everything else. (This also allows you to save Flash cookies, such as for Flash games, if you want to.)

I was also going to suggest CCleaner. One single whitelist for cookies, works across all browsers plus Flash. Keep them across multiple sessions if needed, then delete them at your leisure.

I'm not going to use the do not track header because there are already way too many HTTP headers being sent for every request, making the web even slower than it already is, especially if your upstream speed is limited (which is the case for most people).

The slight increase in request size, a few bytes, would likely be massively outweighed by the removal of the tailored advertising content that couldn't be delivered due to its presence. The slowdown of the internet is nothing to do with the number of outbound headers but more to do with page size bloat to allow designers control over exactly how a page is displayed, which was something that the browser was supposed to do in the first place.

For Google to stop stealing your private information it needs to charge you for its browser...let's say $89.95 per year and use of its search engine...let's say $15.00 per month. Multiple that by several billion users.

Short of you paying Google for its services, Google needs to figure out who you are and what you like.

Realistically, they can't charge. How many people would pay for Chrome, if Firefox remains free?

Personally, I prefer to use programs provided by companies that are not in the advertising business. That removes the financial incentive to undermine my privacy.

I'm not going to use the do not track header because there are already way too many HTTP headers being sent for every request, making the web even slower than it already is, especially if your upstream speed is limited (which is the case for most people).

The slight increase in request size, a few bytes, would likely be massively outweighed by the removal of the tailored advertising content that couldn't be delivered due to its presence. The slowdown of the internet is nothing to do with the number of outbound headers but more to do with page size bloat to allow designers control over exactly how a page is displayed, which was something that the browser was supposed to do in the first place.

Yeah, when a page is slow loading, it's pretty much an indication that I'm not going to like what it will display. And what's with these pages that never stop loading? In Chrome, I've seen sites which, while fully displayed and navigable, continue to show the circular "loading" arrow on the tab. Are those constantly updating ads? Updating cookies? Downloading information from my computer?

You know what's really bad? When I try to book a flight on klm.com, it's not uncommon that some stupid ad server doesn't do its thing the way it should, and the pages never completely render, MAKING IT IMPOSSIBLE FOR ME TO SPEND MY MONEY. How stupid can people be?